the george washington university hospital information
TRANSCRIPT
The George Washington University Hospital
Information Technology Team
TIGERCONNECT
(Secured Texting Services)
Standard Operating Procedures
Prepared by:
Marvin E. Onyemaechi
Director, GWUH IT Operations
Approved by: Marvin E. Onyemaechi, Director, GWUH IT Operations Dr. Brian Choi, MFA CMIO Dr. Bruno Petinaux, GWUH CMO Dr. William Borden, MFA Director of Healthcare Delivery Transformation
GWUH-IT-TT-SOP01
1
Project Identification
Project Name Implementation of Secured Texting using TigerConnect Solution
Technical Project Team Marvin E. Onyemaechi, Travis Sargeant and Steve Wong
Director/Project Sponsor Marvin E. Onyemaechi
CIO Nathan Read
Reviewer(s) Marvin Onyemaechi, Dr. B. Petinaux, Dr. B. Choi, Dr. W. Borden,
Dr. J. Catalanotti, Travis Sargeant and One GW Information Council
Approver GWUH IT Management and One GW Information Council Team
Version & Change History Log1
Date Version Description Author
06/04/2016 v.1 Secured Texting SOP Marvin E. Onyemaechi
08/02/2016 v.1wb Secured Texting SOP Dr. W. Borden
01/05/2017 v.1.5 Secured Texting Updates, FAQ, and CORES Marvin E. Onyemaechi
08/01/2018 v2.EMO Brand Updates, Policy and Process Update, Roles
Feature
Marvin E. Onyemaechi
10/01/2018 v3.5 Updates with recent policy changes Marvin E. Onyemaechi
1 Changes listed that are not shaded (approved) will require further approval by the Project Sponsor.
2
Table of Contents
1 PURPOSE AND SCOPE ........................................................................................................................ 4
2 DEFINITIONS ..................................................................................................................................... 4
3 ROLES AND RESPONSIBILITIES .......................................................................................................... 4
4 PROCEDURES .................................................................................................................................... 5
4.1 Privacy ....................................................................................................................................... .5
4.2 Participation (Teamwork) ........................................................................................................... .5
4.3 Role Based Function ................................................................................................................. 5
4.4 Usage & Etiquette ..................................................................................................................... 6
4.5 Provider Order ........................................................................................................................... 9
4.6 Consequences ............................................................................................................................ 9
4.7 Data Retention ............................................................................................................................ .9
5 SECURITY .................................................................................................................................... 10
6 STAFF BYOD EXCEPTION ............................................................................................................ 10
7 CORPORATE POLICY....................................................................................................................... 11
8 CONTACT INFORMATION .............................................................................................................. ..15
9 GENEAL INFORMATION .................................................................................................................. 15
10 APPENDICES .......................................................................................................................... ….16
Appendix A - Integration with CORES……………………………………………………………………………………16 Appendix B - Staff BYOD Exception Authorization Form……………………………………………………….17 Appendix C - Frequently Asked Questions – FAQ……………………………………………………..…………..18
3
- This page is intentionally left blank -
4
1 PURPOSE AND SCOPE
The George Washington University Hospital – (GWUH) and The Medical Faculty
Associates – (MFA) objective is to establish a secure channel for exchanging private,
confidential, patient information, protected health information (PHI) and critical information
throughout the enterprise using mobile devices. This Standard Operating Procedure (SOP)
details the rules of engagement, guidelines and work processes that are to be conducted and
followed by the TigerConnect user base (secured texting application). This SOP also
includes operational duties in support of secured texting services.
2 DEFINITIONS
TigerConnect (TC) is the selected software application for secured texting amongst Provider,
Nurse to Provider (through EMR), Provider Administrative Assistants to Providers,
Answering services, select management team and specific support individuals. The
functionality of TigerConnect and associated features that come with the app are the full
extent available to the entire GWUH-MFA user base. Enhancements or unavailable features
cannot be enabled or developed as part of GWUH-MFA software development task. Any
enhancement or unavailable feature will be escalated to TigerConnect Corporation for
consideration. In the event TigerConnect makes provision for any enhancement or new
feature, the procurement of that feature will require approval from both the CIO and CMO of
each organization (GWUH Executive Management, GWUH IT Change Management and
MFA Executive Management).
3 ROLES AND RESPONSIBILITIES
The operations support staff works Monday – Friday from 7AM until 7PM. After hours
support and weekend support is available to assist with enrollment/provisioning, and backup
devices are available to in-house inpatient providers. Technical issues or anomalies will be
addressed on the next business day.
GWUH-MFA TigerConnect user is responsible for creating their individual texting group
and management of their individual groups. However, TigerConnect Admin is responsible
for creating and maintaining Broadcast group. TigerConnect Admin team is responsible for
ensuring directory listing of names is up to date at all times. This includes ability to view
contacts on MFA from GWUH and vice versa.
Individual Groups
• Groups can be made on-the-fly by any user.
• Groups are private and are visible only to those who are in the group.
• Any user who is in the Group can see all messages sent within the Group, and can also reply.
Broadcast Distribution Lists
• Can only be set up and managed by Administrators within your organization.
• Distribution Lists are public, and any user in your organization can send a single message out to many
(e.g. - all Residents).
• Any replies only go the sender that initiated the Distribution List message.
5
4 PROCEDURE
This Standard Operating Procedure (SOP) details the work processes that are to be conducted
and followed by TigerConnect users. This SOP also includes rules of engagement and
expected behavior by way of accountability and participation in secured texting.
4.1 Privacy
It is imperative for all TigerConnect users to be cognizant of privacy requirements
both personal and patient-related. It is a universal responsibility to abide by HIPAA
rules that guide patient confidentiality. TigerConnect users must maintain HIPAA
privacy rules which applies to all forms of patient’s PHI whether written or oral. The
device or workstation should be secured at all times. If sending a photograph through
TigerConnect is necessary for patient care, only use the camera function within the
secure texting application. Please do not use your device native camera because that
image is NOT considered HIPAA secure.
4.2 Participation (Teamwork)
The Medical Faculty Associates – (MFA), The George Washington University
Hospital – (GWUH) and The Graduate Medical Education – (GME) Senior Leadership
expect all patient care-related texting communication to go through TigerConnect.
Therefore, texting communication between Providers and Medical staff should be
performed using the TigerConnect App. All practicing Providers and Non-MFA
members of the Medical staff, and Clinicians communicating patient information or
healthcare related information should be performed using TigerConnect. We
encourage those caring for patients in our institution to fully leverage TigerConnect
secured texting features for discussing patient information, sharing knowledge, quick
verifications and as necessary for better patient safety, quality and experience.
For example, the “Gold Team” group exists for Gold Team members and it’s used for
all communication amongst the team; same applies to “Trauma Activation Response”
Team. We highly encourage participation in the use of TigerConnect as a
communication method amongst Providers and Clinicians. NO texting should occur
outside of the TigerConnect software.
4.3 Role based Function
In an effort to improve response time and escalation to appropriate care team,
TigerConnect Role Based feature enables one to see who is on-call for a specific
specialty, and send secured text to the person in that role. For example, the Medical
Admitting Officer (MAO) could be reached through TigerConnect role based feature.
The Physician serving as MAO will manually swipe to assume the role at shift start
and at the end of the shift, the next person will manually swipe to take over the role.
All conversations associated with the role (MAO) is passed on to the next person
assuming that role. This applies to all active roles in TigerConnect. The nomenclature
typically is the department name followed by resident or fellow or attending on call.
Some may have escalation point which means it is the second person on call. For ease
6
of browsing, the three levels are distinguished using color code. Green for On-Call or
first level contact. Yellow for escalation point and Black for Attending or Special role.
Note: The Directory Contact System (DCS) remains the system of record for all on-
call listings and contains the complete list of all department on-call staff. DCS is
accessible through the intranet or by contacting GWUH Contact Center at 202-715-
4000. For MFA-based on-call listings not available in the DCS, please contact the
corresponding department administrator.
4.4 Usage and Etiquette
Texting Etiquette is highly encouraged. Please use utmost respect and be considerate
of those you’re texting and your group members.
4.4.1 Provider to Provider Communication and Medical Staff
TigerConnect should be used for all patient care-related Provider to
Provider texting communications. Providers are encouraged to leverage
TigerConnect secured texting features for discussing patient information,
sharing knowledge, quick verifications and as necessary for better patient
safety, quality and experience.
4.4.2 Provider to Nurse Communication
TigerConnect communication between Providers and Nurses is currently
unidirectional. Nurses are expected to securely text Providers through
SBAR integration with the CORES Application for patient-related issues.
However, Providers are required to respond through phone call only. In
addition, Clinical teams that do not have TigerConnect on their cellphone
are required to use the following operating level agreement determinants
in communicating their request to Providers. The Associated time limit is
the recommended response timeframe from Providers back to requesting
Nurse. See Appendix for examples.
Note: Nurse Managers have the ability to TigerConnect with Providers and
engage in real-time conversation using TigerConnect. Nurse Managers are
exempt from the unidirectional communication.
Routine- Text messages from Nurse or medical staff to Provider with
“Routine” caption will be responded to as soon as possible.
Maximum of 1 hour.
Urgent- Text messages from Nurse to Provider with “Urgent” caption
should be responded to within of 15 minutes or less.
If no response in 15minutes, the requestor can escalate to emergent by
activating “High Priority” feature in TigerConnect. This will break
7
through device that is set to silent or do-not-disturb with an alarm and
request for response.
Emergent- Text messages from Nurse to Provider with “Emergent”
caption and sent using High Priority feature in TigerConnect should be
responded to within of 5 minutes or less.
4.4.3 Priority Messaging
Priority messaging is a feature that enables one to escalate an urgent
notification through Unique audible alert. This should only be used for
urgent or emergent issue or escalated notification for patient safety,
quality or engagement.
First, these messages will generate multiple notifications until they are
read, once every 2 minutes for up to 20 mins. If you have in-app alerts
disabled, the special tone will not play while you are active in the app, but
it will play when the app is in the background.
Second, Priority Messages override other TigerConnect settings that
otherwise prevent notifications, delivering with fanfare even to recipients
who have activated Muting or Do Not Disturb mode. If a message cannot
be delivered to a recipient who is not logged in, notifications escalate to
SMS or email.
Third, when your patience is running out, you can press on any regular
message and resend it as a Priority Message, the same way you would use
Forward or Recall.
Finally, if you need to share urgent information with many people at once,
keep in mind you can send a Priority Message to a Broadcast List. So for
example, if there is some kind of change in a process or operational
activity, you can use a Priority Message to send a strong alert to many
staff-members at once.
4.4.4 Answering Service
Answering Service operations will have access to the TigerConnect
Desktop Client. The Desktop Client offers Answering services the ability
to stay logged on and receives response/replies (If required). Currently, the
communication between Answering Service (by SteriCycle) and Providers
is a unidirectional secured texting. That is, text messages are sent from
Answering service to Providers similar to Nurse to Provider
communication mentioned above.
8
4.4.5 Complex Issues (Escalation/Severity)
All emergent and urgent issues should be escalated using individual
existing escalation procedure for patient care, safety and quality
requirements. In the event the outcome of a TigerConnect conversation
results to an emergent or urgent situation, the TigerConnect user is advised
to initiate a Phone Call, Appear in person or Trigger their SOP for
escalation/severity occurrence. Again, complex or urgent issues are best
managed through a phone call or an in-person discussion.
4.4.6 Charting/EMR
TigerConnect is neither the system of record nor an alternative to EMR.
In other words, TigerConnect is a method of communication similar to a
phone call or text page and does not represent medical documentation.
Data from TigerConnect does not flow into or out of CERNER or
AllScripts TouchWorks or other EMR systems. For example, one can take
picture of a patient’s EKG or pertinent information in accordance with
patient care using TigerConnect, However, Providers and Clinicians are
REQUIRED to document in their respective EMR system (e.g. CERNER
or AllScripts Touchworks).
4.4.7 Inpatient and Outpatient
Providers and Medical staff are encouraged to use TigerConnect to
exchange communication on patient status. When an admitted patient has
an established outpatient primary care or specialist provider, the admitting
provider is encouraged to TigerConnect the patient’s primary care
Provider or outpatient specialist at the time of admission, with any major
changes in status, and upon the patient’s discharge. With all MFA
providers and medical staff eventually having access to TigerConnect, this
is an easy method of maintaining a patient’s continuity of care.
4.3.7 TigerConnect Use in front of Patients/Family members
It is often necessary to view and sometimes respond to TigerConnect in
front of patients. To be respectful of our patients, providers should always
inform patients that the provider is checking and/or responding to a
medical text. If the TigerConnecting takes longer, it may be appropriate
for the provider to excuse oneself from the patient and return when the
provider can focus on that individual patient.
9
4.5 Physician Order
TigerConnect is not an official system of record or formal process of issuing Physician
Orders. All patient orders must be entered per usual protocols.
4.6 Consequences
TigerConnect is the only approved method of text messaging about clinical
information. If providers are found to have sent PHI using non-TigerConnect standard
text messaging, they may be referred to GME or Medical Staff management office for
conduct review.
4.7 Data Retention
Retention of TigerConnect data is not available. All text messages expire after 5 days from
date/time sent or received.
10
5 SECURITY
The physical security of mobile devices is the responsibility of the owners or the person who
accepted possession of GW Hospital/MFA assigned device. Please take reasonable
precautions. Mobile devices must be kept in the individual’s possession at all times.
The TigerConnect Information on the mobile device is secured and passcode protected. All
TigerConnect messages expire after 5 days from date/time sent or received.
All mobile devices shall adhere to the following minimum security requirements:
a. Power-on password activated
b. Inactivity timeout activated
c. Device Mobile Management activated (only GWUH Employee)
Mobile Devices Include: Personal digital assistants (PDAs), handheld computers, Smart Phones, iPads, tablets.
6 STAFF BYOD EXCEPTION
All Nurse Staff are required to use CORES through SBAR in CERNER to TigerConnect
Providers except for Nurse Managers and Directors. Nurse Managers and Directors are required
to have TigerConnect on their phone(s). Nursing staff have access to TigerConnect through Web
Client or TigerConnect Desktop Client.
GWUH/MFA does not require Nurse staff to have TigerConnect on their personal mobile
device/phone. However, Nurse staff that would like to have TigerConnect on their personal
device understands and accepts that GWUH/MFA does not provide any monetary supplement or
subsidy/stipend for use of personal device(s). The Nurse staff accepts the use of personnel device
(BYOD – Bring Your Own Device) is voluntary and must obtain approval from their
Manager/Director. Please see Section 9 and Appendix B.
11
Policy Title: Secure Text Messaging Secure Text Messaging
Location: UHS Corporate Policy
Section:
Information
Services
Information
Services
Policy
Number:
IS 3.02.06IS
3.02.06 Review Date: GW-
4/11/2017GW-
4/11/2017
Original
Effective Date:
Origination Date Current
Effective
Date:
GW-
4/14/2017GW-
4/14/2017
A. Scope:2
This Policy applies to all users, workforce members (employees and non-employees), and other
individuals who have direct or indirect access to electronic confidential information and other
information resources and information systems of subsidiaries of Universal Health Services, Inc.,
including UHS of Delaware, Inc., facilities (“Facilities”) and other subsidiaries, that create, store,
maintain and/or transmit electronic confidential information (collectively referred to as “UHS” or
“UHS companies”).Universal Health Services, Inc., including UHS of Delaware, Inc., facilities
(“Facilities”) and other subsidiaries, that create, store, maintain and/or transmit electronic
confidential information (collectively referred to as “UHS” or “UHS companies”).This Policy
applies to all users, workforce members (employees and non-employees), and other individuals
who have direct or indirect access to electronic confidential information and other information
resources and information systems of subsidiaries of
B. Purpose: The purpose of this is policy to establish standards for texting electronic Protected Health
Information (“ePHI”) and the security controls that must be in place to protect the security and
privacy of ePHI.
Traditional text messaging methods cannot assure the privacy and confidentiality of text
messages and the associated data stored on the device. Federal and state privacy regulations,
including The Health Insurance Portability and Accountability Act (HIPAA), require that all
Protected Health Information (PHI) remain confidential. Standard text messaging provided by
2 Terms not defined in this Policy or UHS HIPAA Definitions maintained by the UHS Compliance Office (available
online and from the UHS Compliance Office) will have the meaning as defined in any related State or Federal privacy
and security law including the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
(“HIPAA”) and regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HHS”)
at 45 CFR Part 160 and 164, Subparts A and E (“Privacy Rule”) and Subparts A and C (“Security Rule”), the Health
Information Technology for Economic and Clinical Health Act (“HITECH”) privacy and security provisions of the
American Recovery and Reinvestment Act for Long Term Care (“Stimulus Act”), Public Law 111-5, Title XIII and
related regulations.
12
your cellular carrier or phone do not adequately meet the security requirements imposed by
regulations.
C. Policy:
Health care providers may transmit patient information via text message to other health
care providers on the treatment team.
Only UHS approved secure text messaging applications are permitted to be used for
clinical purposes. Texting ePHI using standard phone or carrier provided text messaging
(SMS/MMS) applications is prohibited.
The predefined lifespan for all secure text messages is 5 days.
Users of the UHS approved secure text messaging application will be responsible for taking
reasonable and appropriate measures to protect the privacy and security of any UHS
information stored on, or accessible through, the secure text messaging system and the
mobile device at all times in accordance with all other UHS Security Policies.
Text messaging is not integrated with the medical record. Therefore, all secure texts
involving patient care information or decisions should be charted to the medical record
according to established procedures.
Only the minimum amount of patient information necessary should be texted.
Senders are responsible to verify the "to" field prior to sending the message to ensure
positive identification of the person to whom the text message is being sent.
Users may not share ePHI with others who do not have a clinical relationship with the
patient.
Staff and clinicians shall not rely on secure texting as a sole means of communication in
emergency situations. The health care provider shall be paged or contacted by phone or in
person to ensure direct communication of urgent patient information occurs.
Staff shall not store any files or data (pictures, video, voice files, screen captures and
other files) containing ePHI on cloud-based storage solutions (such as Dropbox, Box, and
Google Drive) or outside of the secure text messaging application.
Texting orders is prohibited because the method provides no ability to verify the identity
of the person sending the order and there is no way to keep the original message as
validation of what is entered into the medical record.
13
Critical test results cannot be transmitted exclusively via texting. The department
performing/interpreting the test will report the critical result directly to a health care
provider according to existing departmental policies and procedures.
Transmitting patient photographs via smart phone or other portable device:
Patient photographs may only be taken and transmitted via smart phone or other
portable devices using a UHS/MFA approved secure texting application when
immediate communication of a patient’s condition to another health care provider
is necessary.
If the photograph is used to make medical treatment decisions, the photograph
must be uploaded or its interpretation documented into the electronic health
record to be charted.
The clinician should obtain or verify that written consent to take and transmit
photographs has been obtained, before taking patient photographs.
D. Procedure:
Mobile devices and related software used to connect to UHS information systems or
network(s) must employ appropriate security measures, such as passwords, auto-locking
after a period of non-use, and data encryption both in transmission and in storage, where
available. Mobile devices must be secured in accordance with the UHS Security policy
Mobile Device Security Policy. Use of the UHS approved secure texting application helps
to assure the security of text messages containing UHS confidential information in
transmission or in storage.
Users must contact the local IS Department for instructions for acquiring the UHS
approved secure texting application and to be enrolled for use of the application with
other UHS or facility clinicians.
If a cell phone or other electronic device containing patient information is lost or stolen,
immediately contact the local Information Services Help Desk. It is important that you do
this PRIOR to canceling your cell service for the lost or stolen phone. It is possible to
remotely erase all data on the phone by the IT Department only if the cell service is still
active.
Users are required to remove the secure messaging software from their mobile device
before disposal or sale of the device.
Originator: /s/ Michael S. Nelson
Michael S. Nelson
VP & CIO
14
Authorized: /s/Marc Miller
Marc Miller
President – UHS
15
E. Related UHS Policies:
UHS Security policy Acceptable Use
UHS Security policy Mobile Device Security Policy
UHS Security policy Sanctions for Security Violations
F. Related HIPAA Regulations:
45 C.F.R. § 164.308(a)(6)
G. Related Sox Operational Processes:
Enter Related Sox Operational Processes
H. The Joint Commission Standards:
Enter The Joint Commission Standards
I. Attachments:
Add Attachment(s)
8 CONTACT INFORMATION
This Standard Operating Procedure (SOP) details the work processes that are to be conducted
by all TigerConnect users of GWUH/MFA and GME. If you have any questions or concerns
please contact GWUH ITSC @ 202-715-4955 or email [email protected]
9 GENERAL INFORMATION
As technology continues to advance and change the way we live and work, a smart, flexible
mobile strategy will empower workforce and drive greater productivity. The use of personal
device requires strong security of the device with passcode and restrictions. GWUH-MFA are
not responsible for replacement of lost or stolen personal device(s). In the event of any security
incident, GWUH-MFA retain the right to examine employee device for technical assessment.
GWUH-MFA does not monitor any personal devices or have any type of access to them. The
use of personal device is subject to GWUH-MFA IT Security policy.
16
APPENDIX A
Integration with CORES
17
APPENDIX B –STAFF BYOD EXCEPTION AUTHORIZATION FORM
18
APPENDIX C
Frequently Asked Questions – FAQ
19
20
21
22
23
24
25
26
27
28
29
30
31